Kali tools


Information Gathering

DNSRecon Package Description

DNSRecon provides the ability to perform:

  • Check all NS Records for Zone Transfers
  • Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT)
  • Perform common SRV Record Enumeration. Top Level Domain (TLD) Expansion
  • Check for Wildcard Resolution
  • Brute Force subdomain and host A and AAAA records given a domain and a wordlist
  • Perform a PTR Record lookup for a given IP Range or CIDR
  • Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check
  • Enumerate Common mDNS records in the Local Network Enumerate Hosts and Subdomains using Google

Source: DNSRecon README
DNSRecon Homepage | Kali DNSRecon Repo

  • Author: Carlos Perez
  • License: GPLv2

Tools included in the dnsrecon package

dnsrecon – A powerful DNS enumeration script
root@kali:~# dnsrecon -h
usage: dnsrecon.py [-h] [-d DOMAIN] [-n NS_SERVER] [-r RANGE] [-D DICTIONARY]
[-f] [-t TYPE] [-a] [-s] [-g] [-b] [-k] [-w] [-z]
[—threads THREADS] [—lifetime LIFETIME] [—tcp] [—db DB]
[-x XML] [-c CSV] [-j JSON] [—iw] [-v]

optional arguments:
-h, —help            show this help message and exit
-d DOMAIN, —domain DOMAIN
Target domain.
-n NS_SERVER, —name_server NS_SERVER
Domain server to use. If none is given, the SOA of the
target will be used.
-r RANGE, —range RANGE
IP range for reverse lookup brute force in formats
(first-last) or in (range/bitmask).
Dictionary file of subdomain and hostnames to use for
brute force. Filter out of brute force domain lookup,
records that resolve to the wildcard defined IP
address when saving records.
-f                    Filter out of brute force domain lookup, records that
resolve to the wildcard defined IP address when saving
-t TYPE, —type TYPE  Type of enumeration to perform.
-a                    Perform AXFR with standard enumeration.
-s                    Perform a reverse lookup of IPv4 ranges in the SPF
record with standard enumeration.
-g                    Perform Google enumeration with standard enumeration.
-b                    Perform Bing enumeration with standard enumeration.
-k                    Perform crt.sh enumeration with standard enumeration.
-w                    Perform deep whois record analysis and reverse lookup
of IP ranges found through Whois when doing a standard
-z                    Performs a DNSSEC zone walk with standard enumeration.
—threads THREADS     Number of threads to use in reverse lookups, forward
lookups, brute force and SRV record enumeration.
—lifetime LIFETIME   Time to wait for a server to response to a query.
—tcp                 Use TCP protocol to make queries.
—db DB               SQLite 3 file to save found records.
-x XML, —xml XML     XML file to save found records.
-c CSV, —csv CSV     Comma separated value file.
-j JSON, —json JSON  JSON file.
—iw                  Continue brute forcing a domain even if a wildcard
records are discovered.
-v                    Enable verbose

dnsrecon Usage Example

Scan a domain (-d example.com), use a dictionary to brute force hostnames (-D /usr/share/wordlists/dnsmap.txt), do a standard scan (-t std), and save the output to a file (–xml dnsrecon.xml):

root@kali:~# dnsrecon -d example.com -D /usr/share/wordlists/dnsmap.txt -t std —xml dnsrecon.xml
[*] Performing General Enumeration of Domain:example.com
[*] DNSSEC is configured for example.com
[*] DNSKEYs: